1. Field of the Invention
The present invention is generally related to systems and methods of protecting persistently stored data from unauthorized access and modification and, in particular, to a system and method of reliably securing persistent data managed through a file system server operating in the role of an application or database service provider platform.
2. Description of the Related Art
Maintaining robust and verifiable security over persistently stored data has and continues to be a primary requirement in the operation of commercial, governmental, and essentially all other computing environments. Achieving a desired high level of security, however, is not commonly realized for a variety of reasons. With the fast-paced development particularly of the Internet infrastructure, the diversity of network architectures, infrastructure devices, and computer protocols has rapidly increased. Thus, the number, variety, and complexity of computer systems and network components that must be cooperatively managed to establish at least a minimum uniform level of security within some defined domain has correspondingly increased. The practical difficulties of coordinated management of the different systems and components, as well as systemic failures to protect against both known and previously unrecognized security attack approaches, also contribute to the vulnerabilities of systems and networks to security breaches.
Conventionally, security protections for a given domain are layered and specialized depending on the operational nature of corresponding individual computer systems and network components. Typically, these security protections are implemented variously as password challenges and data and connection filters layered over the core functionality of a computer system or network component. The conventional implementation of security functions in software in computer systems and network components implicitly recognizes the inherent complexity of establishing robust security mechanisms and the very practical need to frequently apply patches to close both previously unrecognized and newly emergent vulnerabilities.
Different architectural approaches have been explored to minimize the vulnerabilities of different security mechanisms to attack and, ultimately, loss of security over persistently stored data. U.S. Pat. No. 5,007,082, issued Apr. 9, 1991 to Cummins, describes an early data security system applicable to file data transfers. Balancing the need for security, transparency of use and compatibility, Cummins describes a hardware specific, software-based encryption control system that interoperates with the platform operating system at the basic I/O system (BIOS) level. File data transfer operations provided by the BIOS are selectively re-vectored to compatible routines implementing encryption and decryption functions against file level data. The described functions perform file-level encryption and decryption. Consequently, full file reads and writes are required to support application program read/write support. Compatibility further requires that the relevant file data memory buffers must be maintained in an unencrypted state to support dynamic read/write operations directed by executing applications.
U.S. Pat. No. 5,584,023, issued Dec. 10, 1996 to Hsu describes a similar, but more advanced software-based file-data encryption system. An operating system kernel mode driver is used to re-vector selected file data related operating system calls at the system call interface level. The underlying operating system provided file-oriented system calls are wrapped to support block-level encryption and decryption services, where the block size is determined by the nominal operation of the operating system. File blocks retrieved from encrypted files are generally maintained in an encrypted state while managed by the operating system within the kernel space buffer cache. The encryption and decryption algorithms utilize password keys to select encryption code tables defined against user related processes and initialized with the invocation of an initial user process. Separate file attribute tables, populated from data appended to the individual disk files, define the encryption attributes of individual actively accessed files. The various code and attribute tables are dynamically allocated and limit pointer references to increase the difficulty in tracing the data structures and the corresponding operation of the kernel mode driver.
A more involved, but similar encryption system is described in U.S. Pat. No. 6,249,866, issued Jun. 19, 2001 to Brundrett et al. An extensive modification of the operating system is described to integrate both file and file system encryption functions into a logically unified view of the underlying file system space. Operating system calls to read and write data are evaluated on interception to determine if the calls are directed to an encrypted file system directory or file. System call file data transferred relative to an encryption flagged directory or file is encrypted or decrypted utilizing a key associated with the target directory or file utilizing a kernel mode driver layered above a conventional file system, such as the NT file system (NTFS). The encryption keys and encryption driver management systems are implemented as a combination of operating system kernel functions and user-mode key management applications.
While these conventional security systems provide a significant degree of security over persistent stored data, each fails to establish a comprehensive security system. Each of these systems remains particularly vulnerable to basic Trojan attacks for obtaining passwords and encryption keys, thereby permitting complete conversion of the security systems to support inappropriate access to and modification of the persistent stored data. Furthermore, these systems provide no protection against the execution of user-mode programs that may exploit vulnerabilities in the operating system to gain unlimited root or administrator control over the operating system. An intruder can then either directly circumvent the kernel password and encryption mechanisms or breach the security of the password and encryption key management systems to obtain the passwords and keys. In either case, the intruder again obtains unencumbered access to the ostensibly secured persistently stored data over the heightened encryption-based security capabilities with little greater difficulty than exploiting the typically limited security protections afforded by the operating system itself.
Ultimately, the security systems described by Cummins, Hsu, and Brundrett et al. rely on the basic security subsystems of the local operating system to prevent attack on the underlying encryption mechanisms. Where utilized on systems that are part of an extended security domain, these and similar systems also inherently rely on whatever cooperative management policies are enforced for the coordinated configuration of the required password and encryption key management systems. Unintended errors and perhaps more typically lapses in the consistent and comprehensive management of the security mechanisms protecting the security domain only increase the availability of operating system vulnerabilities that may be exploited to penetrate the security domain and inappropriately permit access to persistently stored data.
Consequently, there is a clear need for mechanisms to secure persistent data that are ultimately reliable and cooperatively manageable.